Malware Analysis Report

2024-10-19 02:13

Sample ID 231231-ez4mmsafhm
Target 28048a470181ea26c44efccc5613248d
SHA256 52d2303ef0ca3af61a62ab3041abdd1782189394a97777c7d5d9b488b85f1cdd
Tags
cryptbot nullmixer privateloader redline sectoprat smokeloader vidar 706 pub1 pub5 aspackv2 backdoor discovery dropper infostealer loader persistence rat spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

52d2303ef0ca3af61a62ab3041abdd1782189394a97777c7d5d9b488b85f1cdd

Threat Level: Known bad

The file 28048a470181ea26c44efccc5613248d was found to be: Known bad.

Malicious Activity Summary

cryptbot nullmixer privateloader redline sectoprat smokeloader vidar 706 pub1 pub5 aspackv2 backdoor discovery dropper infostealer loader persistence rat spyware stealer trojan

RedLine payload

SectopRAT

NullMixer

PrivateLoader

RedLine

Vidar

SectopRAT payload

CryptBot

CryptBot payload

SmokeLoader

Vidar Stealer

Loads dropped DLL

Executes dropped EXE

Reads user/profile data of web browsers

ASPack v2.12-2.42

Adds Run key to start application

Checks installed software on the system

Legitimate hosting services abused for malware hosting/C2

Accesses cryptocurrency files/wallets, possible credential harvesting

Enumerates physical storage devices

Unsigned PE

Program crash

Suspicious behavior: MapViewOfSection

Modifies system certificate store

Checks processor information in registry

Suspicious use of AdjustPrivilegeToken

Suspicious use of SendNotifyMessage

Suspicious use of FindShellTrayWindow

Checks SCSI registry key(s)

Runs ping.exe

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-31 04:23

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-31 04:23

Reported

2024-01-02 05:08

Platform

win7-20231215-en

Max time kernel

150s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\28048a470181ea26c44efccc5613248d.exe"

Signatures

CryptBot

spyware stealer cryptbot

CryptBot payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NullMixer

dropper nullmixer

PrivateLoader

loader privateloader

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Vidar

stealer vidar

Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\28048a470181ea26c44efccc5613248d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCB87E566\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCB87E566\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCB87E566\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCB87E566\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCB87E566\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCB87E566\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCB87E566\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCB87E566\setup_install.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCB87E566\Sat0489e5e7edba.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCB87E566\Sat0489e5e7edba.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCB87E566\Sat046b489ca6a4ca7b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCB87E566\Sat046b489ca6a4ca7b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCB87E566\Sat043dfd5d2de5535b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCB87E566\Sat043dfd5d2de5535b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCB87E566\Sat0451bd044df656.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCB87E566\Sat0451bd044df656.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCB87E566\Sat0467ed277dbd5c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCB87E566\Sat0467ed277dbd5c.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCB87E566\Sat04a3dff8dec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCB87E566\Sat04a3dff8dec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCB87E566\Sat0451bd044df656.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCB87E566\Sat0451bd044df656.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCB87E566\Sat0451bd044df656.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Piu.exe.com N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\7zSCB87E566\Sat0467ed277dbd5c.exe N/A

Checks installed software on the system

discovery

Legitimate hosting services abused for malware hosting/C2

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7zSCB87E566\Sat0489e5e7edba.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7zSCB87E566\Sat0489e5e7edba.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7zSCB87E566\Sat0489e5e7edba.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Piu.exe.com N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Piu.exe.com N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Users\Admin\AppData\Local\Temp\7zSCB87E566\Sat04436aa032.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec529030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f00740000000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 C:\Users\Admin\AppData\Local\Temp\7zSCB87E566\Sat04436aa032.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 C:\Users\Admin\AppData\Local\Temp\7zSCB87E566\Sat04436aa032.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\7zSCB87E566\Sat046b489ca6a4ca7b.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 C:\Users\Admin\AppData\Local\Temp\7zSCB87E566\Sat04436aa032.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 C:\Users\Admin\AppData\Local\Temp\7zSCB87E566\Sat04436aa032.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 C:\Users\Admin\AppData\Local\Temp\7zSCB87E566\Sat046b489ca6a4ca7b.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\7zSCB87E566\Sat046b489ca6a4ca7b.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474 C:\Users\Admin\AppData\Local\Temp\7zSCB87E566\Sat04436aa032.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\7zSCB87E566\Sat04436aa032.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCB87E566\Sat0489e5e7edba.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCB87E566\Sat0489e5e7edba.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCB87E566\Sat0489e5e7edba.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSCB87E566\Sat041b8c13f01a.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSCB87E566\Sat04436aa032.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSCB87E566\Sat043dfd5d2de5535b.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1744 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\28048a470181ea26c44efccc5613248d.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 1744 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\28048a470181ea26c44efccc5613248d.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 1744 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\28048a470181ea26c44efccc5613248d.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 1744 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\28048a470181ea26c44efccc5613248d.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 1744 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\28048a470181ea26c44efccc5613248d.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 1744 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\28048a470181ea26c44efccc5613248d.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 1744 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\28048a470181ea26c44efccc5613248d.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 2236 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zSCB87E566\setup_install.exe
PID 2236 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zSCB87E566\setup_install.exe
PID 2236 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zSCB87E566\setup_install.exe
PID 2236 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zSCB87E566\setup_install.exe
PID 2236 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zSCB87E566\setup_install.exe
PID 2236 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zSCB87E566\setup_install.exe
PID 2236 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zSCB87E566\setup_install.exe
PID 2868 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\7zSCB87E566\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2868 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\7zSCB87E566\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2868 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\7zSCB87E566\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2868 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\7zSCB87E566\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2868 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\7zSCB87E566\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2868 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\7zSCB87E566\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2868 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\7zSCB87E566\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2868 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\7zSCB87E566\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2868 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\7zSCB87E566\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2868 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\7zSCB87E566\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2868 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\7zSCB87E566\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2868 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\7zSCB87E566\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2868 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\7zSCB87E566\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2868 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\7zSCB87E566\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2868 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\7zSCB87E566\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2868 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\7zSCB87E566\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2868 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\7zSCB87E566\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2868 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\7zSCB87E566\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2868 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\7zSCB87E566\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2868 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\7zSCB87E566\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2868 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\7zSCB87E566\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2868 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\7zSCB87E566\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2868 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\7zSCB87E566\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2868 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\7zSCB87E566\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2868 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\7zSCB87E566\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2868 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\7zSCB87E566\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2868 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\7zSCB87E566\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2868 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\7zSCB87E566\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2868 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\7zSCB87E566\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2868 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\7zSCB87E566\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2868 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\7zSCB87E566\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2868 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\7zSCB87E566\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2868 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\7zSCB87E566\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2868 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\7zSCB87E566\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2868 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\7zSCB87E566\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2868 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\7zSCB87E566\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2868 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\7zSCB87E566\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2868 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\7zSCB87E566\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2868 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\7zSCB87E566\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2868 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\7zSCB87E566\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2868 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\7zSCB87E566\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2868 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\7zSCB87E566\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2868 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\7zSCB87E566\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2868 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\7zSCB87E566\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2868 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\7zSCB87E566\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2868 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\7zSCB87E566\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2868 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\7zSCB87E566\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2868 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\7zSCB87E566\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2868 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\7zSCB87E566\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2868 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\7zSCB87E566\setup_install.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\28048a470181ea26c44efccc5613248d.exe

"C:\Users\Admin\AppData\Local\Temp\28048a470181ea26c44efccc5613248d.exe"

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe

"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"

C:\Users\Admin\AppData\Local\Temp\7zSCB87E566\setup_install.exe

"C:\Users\Admin\AppData\Local\Temp\7zSCB87E566\setup_install.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Sat0451bd044df656.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Sat043dfd5d2de5535b.exe

C:\Users\Admin\AppData\Local\Temp\7zSCB87E566\Sat043dfd5d2de5535b.exe

Sat043dfd5d2de5535b.exe

C:\Users\Admin\AppData\Local\Temp\7zSCB87E566\Sat04436aa032.exe

Sat04436aa032.exe

C:\Users\Admin\AppData\Local\Temp\7zSCB87E566\Sat041b8c13f01a.exe

Sat041b8c13f01a.exe

C:\Users\Admin\AppData\Local\Temp\7zSCB87E566\Sat044149d0d9a89f.exe

Sat044149d0d9a89f.exe

C:\Users\Admin\AppData\Local\Temp\7zSCB87E566\Sat04a3dff8dec.exe

Sat04a3dff8dec.exe

C:\Users\Admin\AppData\Local\Temp\7zSCB87E566\Sat046b489ca6a4ca7b.exe

Sat046b489ca6a4ca7b.exe

C:\Users\Admin\AppData\Local\Temp\7zSCB87E566\Sat0467ed277dbd5c.exe

Sat0467ed277dbd5c.exe

C:\Users\Admin\AppData\Local\Temp\7zSCB87E566\Sat0451bd044df656.exe

"C:\Users\Admin\AppData\Local\Temp\7zSCB87E566\Sat0451bd044df656.exe" -a

C:\Users\Admin\AppData\Local\Temp\7zSCB87E566\Sat0489e5e7edba.exe

Sat0489e5e7edba.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c cmd < Abbassero.wmv

C:\Windows\SysWOW64\cmd.exe

cmd

C:\Windows\SysWOW64\findstr.exe

findstr /V /R "^VHwgFRxzxxLcwcGoqrvwdRkyDDkqmNLTpdmTOMvFsotvynnSaSEGawtrcWKeGzUGIRjLVNzgHQJiNPZttzIGotBijvbSexZYgbNhjNWFndZB$" Rugiada.wmv

C:\Windows\SysWOW64\dllhost.exe

dllhost.exe

C:\Users\Admin\AppData\Local\Temp\7zSCB87E566\Sat0451bd044df656.exe

Sat0451bd044df656.exe

C:\Windows\SysWOW64\PING.EXE

ping OZEMQECW -n 30

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Piu.exe.com

Piu.exe.com L

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Sat041b8c13f01a.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Sat0467ed277dbd5c.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Piu.exe.com

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Piu.exe.com L

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Sat04436aa032.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Sat04a3dff8dec.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Sat046b489ca6a4ca7b.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Sat044149d0d9a89f.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Sat0489e5e7edba.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2868 -s 436

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1676 -s 964

Network

Country Destination Domain Proto
US 8.8.8.8:53 hsiens.xyz udp
NL 37.0.10.214:80 tcp
US 8.8.8.8:53 live.goatgame.live udp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 8.8.8.8:53 cdn.discordapp.com udp
US 3.141.96.53:443 live.goatgame.live tcp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 mfBkjRLTfwLSsveoSyZ.mfBkjRLTfwLSsveoSyZ udp
US 8.8.8.8:53 your-info-services.xyz udp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 8.8.8.8:53 webboutiquestudio.xyz udp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 8.8.8.8:53 eduarroma.tumblr.com udp
US 3.141.96.53:443 live.goatgame.live tcp
US 74.114.154.22:443 eduarroma.tumblr.com tcp
US 8.8.8.8:53 yournewsservices.xyz udp
US 8.8.8.8:53 iplogger.org udp
US 104.21.4.208:443 iplogger.org tcp
US 8.8.8.8:53 apps.identrust.com udp
GB 96.17.179.184:80 apps.identrust.com tcp
US 8.8.8.8:53 viacetequn.site udp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 8.8.8.8:53 2no.co udp
US 104.21.79.229:443 2no.co tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
NL 37.0.10.244:80 tcp
US 8.8.8.8:53 aucmoney.com udp
US 8.8.8.8:53 thegymmum.com udp
US 3.141.96.53:443 live.goatgame.live tcp
US 8.8.8.8:53 atvcampingtrips.com udp
US 8.8.8.8:53 kuapakualaman.com udp
US 8.8.8.8:53 renatazarazua.com udp
US 8.8.8.8:53 nasufmutlu.com udp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 8.8.8.8:53 wfsdragon.ru udp
US 172.67.133.215:80 wfsdragon.ru tcp
NL 212.193.30.115:80 tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 8.8.8.8:53 knuywu58.top udp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
N/A 127.0.0.1:49281 tcp
N/A 127.0.0.1:49283 tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp

Files

\Users\Admin\AppData\Local\Temp\setup_installer.exe

MD5 d4985c8e45b791adbf9c667627499f72
SHA1 cc3be56ad31bef59daabbe3d8bd791333ca7e99c
SHA256 67cc74a9509dd67bc44427d0c0b014779861da78408af60124a9dd4a7c273ea5
SHA512 f7f77a7700de924d0c42d164c673a79ff60435408e5433ede69a945f9259bf5bb127ec0237b377cbe9d8551fedcb0a927dc3e250bffd99396c02e530b6e321d5

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe

MD5 57a5cb89dbec04c87e6128d3e7b6d20d
SHA1 96f31421f5fdfec7123b2af0547c746a8d084720
SHA256 d3e5b5c039ddcd61aa48351d5f403dcf672aa0da1e36d3f2227902dc755d6f6b
SHA512 f7d2dad11b15daeecc8b28354f5037a68da131bddc9ead09e923b3ad52a850d32f6c38c03760830d7227f7b2c9edee9018280c3a0911315b7a9122f685279705

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe

MD5 1b881d4cfbe2fbe51e81870e45e4f4bd
SHA1 cc150a35b3a0f284fff8b6d0f5dabae506b12ed8
SHA256 52ec5a529f034b5d2c9a11eeb144eb7f3f30895f120eaf9db9ea788e843c68d0
SHA512 1acda31c178a5b130eef40da2aba025d5502800105e3767fb18b7cb1a6d5af2972dc4847f2cf05fe523d11e37ae52a6092a2296da26e74280bb97c86deaa9799

\Users\Admin\AppData\Local\Temp\setup_installer.exe

MD5 d9190e4504f2d18f233b10fd95acc138
SHA1 0b1fe8c74bc56c261de8a550af8102298fd0f681
SHA256 149989b7f5bb4aa67a847f7ebf588d0c4d78317935c398d65dcd384fd578ed61
SHA512 b714b5d88ae91786505667a126023cfd0878acc32a783dff08b7804c7227b75293de880f327e5394a11cc00e164e8f320212999ccb7df580959f42274b700971

\Users\Admin\AppData\Local\Temp\setup_installer.exe

MD5 6f6872f4368f89ad0ae6691b8b5af28e
SHA1 d856275c52ec65a5c0fe931bfe08b25fe0f019d3
SHA256 4e9181cc88071b6d9d8ed085cc2cb7ecd71350ebfdb1cef990d2f45ff99ecad8
SHA512 8531b39fd30eb10376101de02f0447ff3830bc55283c12d6a9bf919624949ed54c39cd2395caf211493d21c1914ce2934b2e33f9efa057e09483788ff37da0aa

\Users\Admin\AppData\Local\Temp\setup_installer.exe

MD5 3ebca914404c29e9fec675ec540174fa
SHA1 6887cab5465ae64348f5379cc4ad6da281ec7c12
SHA256 a931d6a05d266bb0abca665e8ee63b65833f13fcb0ad96f6670188fba8118d6c
SHA512 54c1233dfdd0975e5587c8cf511240321c6b22bb88afb7aee4414a3e6bc46e4f71c4777335b13b4d29ee47c01827433af0a71ba2fee7beae2247c5b4bb860ab8

C:\Users\Admin\AppData\Local\Temp\7zSCB87E566\setup_install.exe

MD5 0c29ce3ac3e144bb24a39d2b6fc11a0d
SHA1 6576c55caf8f099e66dbb5ec699c797a4b48bb11
SHA256 355f03524df61666c7c54608ed6c132fb18e593ec9f39ef8ce0bb04e5c0d7bbc
SHA512 bbdbd9a80d16ebaa121f89bdc2f7284948284e49f54691dc168d5fa6f593f5ab4e2c72d2729bc82b98a8fa1aea31a928f74f25889af6e18066ae7d7fe14c4a48

\Users\Admin\AppData\Local\Temp\7zSCB87E566\setup_install.exe

MD5 b9b7db481efa6eb4bd4b2cce86eb95c4
SHA1 949b19b3172bdcb6d15ca16a0f886b0a10fdb7b3
SHA256 c33ca17ef72627b45bb776cccd8fe6ded5429379c9978c3211470a2a6ac9f606
SHA512 3104fc696e39cb02fdc2439b681dac33480bba3c85399a13f814d982319ff3fbde446049872cb9d6b0edee718d8dd9ee1ef1c58ffdf4250803852859d106dc98

\Users\Admin\AppData\Local\Temp\7zSCB87E566\setup_install.exe

MD5 8f6184cf3de0d5e6323515d526907ff2
SHA1 de96240f7b62213704ff345103bae589570118ee
SHA256 c4c53c9ffe39412caaad2fc8c679039845138185eab1acc5f8729479dfc39199
SHA512 17d4411f21fd14223b02f529124a5b0f3b8340cc46257ab8870125931fa78c99a097b2b45f974484ac204c21073c036884d2704b8f27718b33dc7ba87fc8aacf

\Users\Admin\AppData\Local\Temp\7zSCB87E566\setup_install.exe

MD5 9ca37abe20cf190891e4a96e5b8bcf38
SHA1 46488a918a257a1ef9114b43992a278a2b0ef768
SHA256 93b84234c01e8bf4aa769f08c74f0315609d3a2e56f97368b36eb9ac49b65d8a
SHA512 06ffd70dc31240e1cbde45899a15b57249d3aeed137e60c96c3100176c4dd02cbeccda44024fb1ebea2306c1b1d171c61c44a92b88b8e8fde2e9af21d84b8ac1

C:\Users\Admin\AppData\Local\Temp\7zSCB87E566\setup_install.exe

MD5 666d7b6b5ba7a47f6b8a3a56800ad347
SHA1 3714147ef3df1e4b0c62b4754b942269e5c3055a
SHA256 31d32aec04312969a0b80e8e896ea2e366d7704ce7b7115afd219df1c88527b8
SHA512 4137ecdb33ae8ab05c44cc6446d45e5a8d45ed0d6b18ab5fadeec05d20d963d7e7d6c77c1a99d763e22313e88780cbcd2481483552c9b7982f0132e0e9d441a1

\Users\Admin\AppData\Local\Temp\7zSCB87E566\libcurl.dll

MD5 21846c26571b122668ffaeb676c22063
SHA1 2e1fcdbbdaaf47e8898c20086bd2ec6f45eb6ad6
SHA256 fc9c226b9888c948cb82855bdb4183dfde2ebc7e7c231e5590a41445ded3d449
SHA512 dcd6ebbfcbd4f7964cb3476a6b3681ac03a4decbcba9d85a6db17d1a734e23d51cf804e771d17610f3072f8597fb2c20de16401d6cf29a5118bb8bd43997f872

C:\Users\Admin\AppData\Local\Temp\7zSCB87E566\libstdc++-6.dll

MD5 08a7561ff48ee2891568d924e561f93b
SHA1 9e3899b92c61fd156d1497088905081643f7096a
SHA256 b73732c3569aab6e393997048cdf451a9ad72154bf1ff5d95916696973a5cd4f
SHA512 942ca797731841bdb5a4bb6cbfaa291e1d035afc55a80cfeefc9c919889377a1e010dd8a81fa0fadec020130067c6df6f0a7bd22bbca89ce60524fe1324a6c0c

\Users\Admin\AppData\Local\Temp\7zSCB87E566\libstdc++-6.dll

MD5 8a5553f6ac4c1072ad0bc52f8d959c6a
SHA1 9033e95586fb574c68156fcb68a3cf07b13603b4
SHA256 1a452e3a54b65ce7dbe3355faf6b2a1cdb759a5ef6b5600ae431b4122f44083e
SHA512 a178e23386569480b854389633070abf99ed2bde111596c65a748133b3ba3cd79ae95c526f463ccb6b372ee050611efeff0febe68fd531a969248d08347a2bf5

memory/2868-69-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2868-71-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2868-72-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2868-75-0x0000000064940000-0x0000000064959000-memory.dmp

memory/2868-77-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2868-76-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2868-82-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2868-83-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2868-80-0x000000006FE40000-0x000000006FFC6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zSCB87E566\Sat0489e5e7edba.exe

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Temp\7zSCB87E566\Sat044149d0d9a89f.exe

MD5 9cdd0ddf42b247201efe097a9168eaf8
SHA1 d0f4f7999536fa813f20156ba883b4d268302684
SHA256 68ca872141417f1d26f926dd5658699db189bcdfa72da63d91692c36d898b8d9
SHA512 af64ef07b9711c4514d15dafa46544b62fa5825ca1a1cd3087a729dcb4dabea4713cee0564778e6d0e1a102ab0dc58a5bbf543bdf87b19ea0b08cd2821a60767

C:\Users\Admin\AppData\Local\Temp\7zSCB87E566\Sat04436aa032.exe

MD5 936224d276d0d1cf8280fc73c59ac9d4
SHA1 e871a6050fe93dd28a22e07b95eace43c0646073
SHA256 72023b96ed6c2016ec21f3da9e36637754789cd5286f68a17e361ac941760e58
SHA512 e2e6b983c36c0b4ae76b5e23d6b3acd7b82450b3c03d94dbd1f4803bee471254dc9b8ed1425d8f047fb787a83e2617f06df3627b9cf1bdd14c46a9ba3bb22051

\Users\Admin\AppData\Local\Temp\7zSCB87E566\Sat046b489ca6a4ca7b.exe

MD5 1cafe5b22570da4e4d62bb69f7453bfb
SHA1 264bb8e7d422074412856167436e461a7b3e7bbd
SHA256 eb12c6afdfca60625fbd65eba304567b573e5f1fe68fe7b0ab083ae137d962c4
SHA512 80a7232586763ab6e62d95772aad6b162ad21987254d8f73b23bb695ef400aeca1a35ab318af8064178216ad9c74c449987f41bff1a42d98abf420fbd3537f18

\Users\Admin\AppData\Local\Temp\7zSCB87E566\Sat0467ed277dbd5c.exe

MD5 c41718360bf94a8dd40b69c13e126fb1
SHA1 39ceab30540784923234870435e3b731a891b5a8
SHA256 4495caf2daee5e6b5dd52c0bc40b6027d01289cbd1fdf4607d97a84bd43671ee
SHA512 433951e38437a0fb6f57adaa6892ab2c75b2b24333fdd03504bcbadb98b23f4f89e089661593070e6a3d4f328ffcb391bb72044b083fcc7dc94ed9c63690ded3

\Users\Admin\AppData\Local\Temp\7zSCB87E566\Sat043dfd5d2de5535b.exe

MD5 7163832340d0d85dff14c5eb5f41b848
SHA1 0563ad0ee07fdab923371707a1542b28a2db199e
SHA256 3bc3a2284227786780d51dad18b095487064f09a912de0b07f9133486feec5b8
SHA512 0f37c774856acfba00157b85df920196372269dc6b0608ab0ce4893f202ffea9038f55fa1ed63a666158d86b52a9c9cef748302aaaaca615b1e46e82450c72d2

\Users\Admin\AppData\Local\Temp\7zSCB87E566\Sat046b489ca6a4ca7b.exe

MD5 f9ee43a3efa9dd55b9bb3fc612e011dc
SHA1 cc9a4279786e10205e1286f98b22537221dc94bd
SHA256 a7a6ec648f4b44d6e4f0d35fccf219fc9cef16bb9cabeee66a111b0d9addb351
SHA512 9d3175f5c90d1909290e34b31d191d9d16b87ed73699e88e4969ab0e5c1ff1c7695ea8436a87107b219d8900d294ad74ef7d03234f356456c2fdbcafdfc01878

\Users\Admin\AppData\Local\Temp\7zSCB87E566\Sat046b489ca6a4ca7b.exe

MD5 46b4973ed67fc24b0cb3b7682d56d053
SHA1 27a1081453c85d9367f4fe117b2f3a45ae8b18ae
SHA256 77142d99ec7c044f089267b3e027a2b1750681fbfd1ca2de0d2a72ec9223b709
SHA512 539d9c8934559838b52a69180647cfeb02b36d9bff8d86f2e08bd0dc9f6f7a52d1940826e5fae778f421a0e9545908a858bb86d542552b594e58969f56e86638

memory/1068-126-0x0000000000EE0000-0x0000000000EE8000-memory.dmp

\Users\Admin\AppData\Local\Temp\7zSCB87E566\Sat0451bd044df656.exe

MD5 c0d18a829910babf695b4fdaea21a047
SHA1 236a19746fe1a1063ebe077c8a0553566f92ef0f
SHA256 78958d664b1c140f2b45e56c4706108eeb5f14756977e2efd3409f8a788d3c98
SHA512 cca06a032d8232c0046c6160f47b8792370745b47885c2fa75308abc3df76dcc5965858b004c1aad05b8cd8fbb9a359077be1b97ec087a05d740145030675823

C:\Users\Admin\AppData\Local\Temp\7zSCB87E566\Sat0489e5e7edba.exe

MD5 ec2c058e381a18588ad278f41166e58c
SHA1 b0ae1385f30328dde74174480db989b38a4da270
SHA256 13b6ab69f9ebc6861e4120b8ab21937392c95c29b4b36899e8ed00fb27041a04
SHA512 dc470cedfae0b58e2a681d44e746477fd81e1be6bc9594bf28ffae50a93ca8b101b94897382f880fe25f00fe40e353b007303af763f96eaa6d0ecf5b4b18ef7e

\Users\Admin\AppData\Local\Temp\7zSCB87E566\Sat0489e5e7edba.exe

MD5 7c266ef5d8b3e8c9ad0e983a4fd1fc06
SHA1 550dbc20b441f2d5fd0f42decef34b34e0dcff1a
SHA256 884b7024a1b9ef11290b3b71992f33fdcedbb2d5eb8ba03b02ea33df1d7a9bf9
SHA512 5279b7f4345507f8efa7711d72b04274b51d9ea3165464c4174fbbbdcf7f04f76da446d5e8a7cf4da3009d3c057ad48368c7c83786aaa2bc29a35f6766de9ce4

memory/1660-128-0x0000000000D00000-0x0000000000D2C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zSCB87E566\Sat0467ed277dbd5c.exe

MD5 c2a3de57ecce246b28c785d66fbad1ad
SHA1 8dcdf56ca1655da2b02707344f93cba1b3722b48
SHA256 bcca6b3c298bac1cec056df17eaa97238b9cb70e4bfd39a5f7c3a65ce5df2c85
SHA512 d0c42e9f3e2cb1152e6e2ef6764f8fb3e6996df727059296e0e559ab148771919cdc49271155221d602da1d15717732499b0932a1a828cd17cb07e7e6e4ae10e

C:\Users\Admin\AppData\Local\Temp\7zSCB87E566\Sat041b8c13f01a.exe

MD5 d1d4b4d26a9b9714a02c252fb46b72ce
SHA1 af9e34a28f8f408853d3cd504f03ae43c03cc24f
SHA256 8a77dd50b720322088fbe92aeba219cc744bd664ff660058b1949c3b9b428bac
SHA512 182929a5ff0414108f74283e77ba044ab359017ace35a06f9f3ebd8b69577c22ecc85705cb908d1aa99d3a20246076bc82a7f6de7e3c4424d4e1dc3a9a6954cd

C:\Users\Admin\AppData\Local\Temp\7zSCB87E566\Sat04a3dff8dec.exe

MD5 5f1ececc707a8c1f672eba6bbe04be06
SHA1 de783f86217185293b2207608d2d86db1f5bfee0
SHA256 d6e01f54990ae0b4388fa66d51e14a298b0dcdc2882b34304cd41ad3584fcb41
SHA512 42d0cd002451cbe3c85cc97c7ddb6989882088d540d661a9b0cc98f8f64ce2d6c0ed98cc7976adb76b6b26375b8d606c0a986e1362bf96e83c970b9b1b60c9fe

memory/1660-165-0x0000000000350000-0x0000000000372000-memory.dmp

memory/1208-169-0x00000000046A0000-0x00000000046C2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zSCB87E566\Sat043dfd5d2de5535b.exe

MD5 d23c06e25b4bd295e821274472263572
SHA1 9ad295ec3853dc465ae77f9479f8c4f76e2748b8
SHA256 f02c1351a8b3dc296cf815bb4cd2bcc2d25b3b9a258ab2ad95e8be3d9602322c
SHA512 122b0ef44682f83651d81df622bbff5ad9fa0f5bbd6b925e35add9568825c0316c0f9921dac21cf92cb44658fc854f7829c01ae3b84aa0745929f8ef5e6ae1ae

memory/2868-79-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2868-74-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2868-73-0x000000006FE40000-0x000000006FFC6000-memory.dmp

\Users\Admin\AppData\Local\Temp\7zSCB87E566\setup_install.exe

MD5 ad435894072d42e540a61a5d35b2973b
SHA1 81ea088c7ddb06b60a1a41df00973c5ef96ca76a
SHA256 e2dda5b413846fa73bd09b364cfb74965858e3eba51a39275d05ba1e37ecceaf
SHA512 d4cddc95beb675e9d5b31ec8181fb8868640c6f0eca1112b84c2375eb6140f65d5ae08986910c623b72bffdc7cd62dfa2cac954354a177b236d58c5b0aaae22b

\Users\Admin\AppData\Local\Temp\7zSCB87E566\setup_install.exe

MD5 5e7ed5232fcd67eaa03aa2fef83b9725
SHA1 f5d230af331fb2aa79079d2a97016251775dc061
SHA256 a891395fa00b7ef51e04cccece22bbb81a963a8884a7b0042cbb4a46dc5a282c
SHA512 961652f0977e115a31dc2fb8107e3b26ee8badf43beddaf80103a5a9fc04b99590ff5bddc09fe4ae53b9ec329d017358fef57d627fbcbbf896ab0288a64b3e9b

memory/2868-66-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/1208-177-0x0000000004960000-0x0000000004980000-memory.dmp

\Users\Admin\AppData\Local\Temp\7zSCB87E566\setup_install.exe

MD5 715b127658bfb3940d9a17bec0825530
SHA1 d890dd82bded34b831f2ff07924fc95d55605665
SHA256 db7067289a13fef02a87b2b497c9ee08b9fb2af430f2fcb79c7691af5e900ab1
SHA512 c3610a8131b4178ecee94284d1892c4745785e3b0ca0d799f68f1b3ead5087222b485d4562c3465558149e69705f5b45503372608393f0262f1cdb0e501c81dc

C:\Users\Admin\AppData\Local\Temp\7zSCB87E566\setup_install.exe

MD5 0012cd25d45c6b50da1b7237be7c4fa9
SHA1 62f0836c5cb8bfa3c4e836574c94db0bb583f17c
SHA256 44e1083e61a2ea0308dc3e6baa9e5556390f0bcc5e149f6670c47dcf9ab66ba9
SHA512 50d4c5f5c0696f6fe9cf310323c6c7659dee112faa3e40df280778df1b61221086b0f3967c019ab0bae58d135e6deb96fb0fc5bab344e45ae23f9cdde040e67d

\Users\Admin\AppData\Local\Temp\7zSCB87E566\libgcc_s_dw2-1.dll

MD5 9aec524b616618b0d3d00b27b6f51da1
SHA1 64264300801a353db324d11738ffed876550e1d3
SHA256 59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA512 0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

C:\Users\Admin\AppData\Local\Temp\7zSCB87E566\libcurl.dll

MD5 d09be1f47fd6b827c81a4812b4f7296f
SHA1 028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA256 0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512 857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

memory/1660-178-0x000007FEF5CD0000-0x000007FEF66BC000-memory.dmp

\Users\Admin\AppData\Local\Temp\7zSCB87E566\libcurlpp.dll

MD5 e6e578373c2e416289a8da55f1dc5e8e
SHA1 b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA256 43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA512 9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

memory/1784-180-0x0000000000240000-0x0000000000249000-memory.dmp

memory/1068-179-0x000007FEF5CD0000-0x000007FEF66BC000-memory.dmp

memory/1784-181-0x0000000000400000-0x00000000023AF000-memory.dmp

memory/1676-183-0x0000000002850000-0x00000000028ED000-memory.dmp

memory/1676-182-0x0000000000240000-0x0000000000340000-memory.dmp

\Users\Admin\AppData\Local\Temp\7zSCB87E566\libwinpthread-1.dll

MD5 1e0d62c34ff2e649ebc5c372065732ee
SHA1 fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA512 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

memory/1676-184-0x0000000000400000-0x0000000002403000-memory.dmp

memory/1208-185-0x0000000002E40000-0x0000000002F40000-memory.dmp

memory/1208-186-0x0000000000270000-0x000000000029F000-memory.dmp

memory/1208-187-0x0000000000400000-0x0000000002CCD000-memory.dmp

memory/1068-189-0x000000001A850000-0x000000001A8D0000-memory.dmp

memory/320-190-0x00000000028D0000-0x0000000002910000-memory.dmp

memory/1660-191-0x000000001AE60000-0x000000001AEE0000-memory.dmp

memory/1784-192-0x00000000024A0000-0x00000000025A0000-memory.dmp

memory/1208-193-0x0000000007300000-0x0000000007340000-memory.dmp

memory/320-188-0x00000000732D0000-0x000000007387B000-memory.dmp

memory/1296-221-0x0000000002970000-0x0000000002986000-memory.dmp

memory/1784-222-0x0000000000400000-0x00000000023AF000-memory.dmp

memory/2868-347-0x0000000000400000-0x000000000051B000-memory.dmp

memory/2868-348-0x0000000064940000-0x0000000064959000-memory.dmp

memory/2868-349-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2868-350-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2868-351-0x000000006EB40000-0x000000006EB63000-memory.dmp

memory/2868-352-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/320-354-0x00000000732D0000-0x000000007387B000-memory.dmp

memory/1660-375-0x000007FEF5CD0000-0x000007FEF66BC000-memory.dmp

C:\Users\Admin\AppData\Roaming\ehbrrat

MD5 edece30f95dfd4e30f60ecf27502fbdb
SHA1 b28c5ba7998656d3b44a75be6e1914407d6107e2
SHA256 145cc9142c571be43c679e25d0b3069f558ec151dbf272c60b625d6fd22adc57
SHA512 1d9b1beecc7019d9c183b69b8f53622629b67f252d12049e3884a4e1264cf4270684d1c7f24e7c731a1b6d32809ce6eee0b34e1448768d1c164319a451be5b29

memory/1016-387-0x0000000003AC0000-0x0000000003B63000-memory.dmp

memory/1016-388-0x0000000003AC0000-0x0000000003B63000-memory.dmp

memory/1016-389-0x0000000003AC0000-0x0000000003B63000-memory.dmp

memory/1016-390-0x0000000003AC0000-0x0000000003B63000-memory.dmp

memory/1016-391-0x0000000003AC0000-0x0000000003B63000-memory.dmp

memory/1016-393-0x0000000003AC0000-0x0000000003B63000-memory.dmp

memory/1016-392-0x0000000003AC0000-0x0000000003B63000-memory.dmp

memory/1068-402-0x000007FEF5CD0000-0x000007FEF66BC000-memory.dmp

memory/1676-403-0x0000000000240000-0x0000000000340000-memory.dmp

memory/1068-405-0x000000001A850000-0x000000001A8D0000-memory.dmp

memory/1208-404-0x0000000002E40000-0x0000000002F40000-memory.dmp

memory/1208-406-0x0000000007300000-0x0000000007340000-memory.dmp

memory/1016-415-0x0000000003AC0000-0x0000000003B63000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\rLFlYIc7p0\_Files\_Information.txt

MD5 cbdd4f9aabff34b04c02923a073a660c
SHA1 49732d209a2debc34e5491b80ef220c03b71e0f7
SHA256 bd062dcfb7964920a3727584de131ba39cf26f4c830052d3d5e73a9d20c874bb
SHA512 a990adff9766ce31c6cb85da14f128872e752baeb8dab3d58cd241a92fd6805d7cbb6a367dc4c1dc1b25201a26ea3af119a3431603b159ea08f5cbc0d6fc868a

C:\Users\Admin\AppData\Local\Temp\rLFlYIc7p0\files_\system_info.txt

MD5 ac30110cad8486dc42d2d80482d6121f
SHA1 9164b654a241b05f30126e36374702ae78992644
SHA256 12d644f82e1f290fe52b2ec59edd3d67c9e351c9df77d591f0ca395b4e55eb21
SHA512 051c5e46eb6345fc0c80443b370e61877d700397e1e4305a0d8f1e9a8c09dda42ea6ff842684f6ec67b588ff06e1176f324750b17fd44622a4c7e1bd94de2364

C:\Users\Admin\AppData\Local\Temp\rLFlYIc7p0\_Files\_Screen_Desktop.jpeg

MD5 fcd1c93a35f5249f7d9d6815d4be2632
SHA1 4fcbb59464d58293bfdf44800322648f2901890f
SHA256 87f2b8a5ad8b2d8e0c3617e7c410c5bbabcbc2dc16d3ed7884ed296b04eb2d13
SHA512 0f6df06ee6a726d44da6d4513aee2f09edbe7c19e51cc213d42f76793c6ceb32589a4aa54dc2ed9591294c549372210db9261c81cb820c9a9eb260a0af981916

C:\Users\Admin\AppData\Local\Temp\rLFlYIc7p0\3ranC76gWq.zip

MD5 320ec79d11d9e5c0d7c68b409a69ffc2
SHA1 38e96abeede884dda0ad86de38da745906c6665d
SHA256 44d06557d441f3b7aba611f3097f3232b92c75718879ddb125beda2e2434db3d
SHA512 966d5aacea5df2aab9f3c09efea188370455b80bcfb233f2497dad55b5534e57823399e1e6e430d36b541c4e049b9ee59d1094cab02f3ba8442a8591a2d94380

memory/1016-659-0x0000000003AC0000-0x0000000003B63000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-31 04:23

Reported

2024-01-02 05:08

Platform

win10v2004-20231222-en

Max time kernel

0s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\28048a470181ea26c44efccc5613248d.exe"

Signatures

NullMixer

dropper nullmixer

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Vidar

stealer vidar

Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Legitimate hosting services abused for malware hosting/C2

Enumerates physical storage devices

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Processes

C:\Users\Admin\AppData\Local\Temp\28048a470181ea26c44efccc5613248d.exe

"C:\Users\Admin\AppData\Local\Temp\28048a470181ea26c44efccc5613248d.exe"

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe

"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"

C:\Users\Admin\AppData\Local\Temp\7zS40FE3277\setup_install.exe

"C:\Users\Admin\AppData\Local\Temp\7zS40FE3277\setup_install.exe"

C:\Users\Admin\AppData\Local\Temp\7zS40FE3277\Sat046b489ca6a4ca7b.exe

Sat046b489ca6a4ca7b.exe

C:\Users\Admin\AppData\Local\Temp\7zS40FE3277\Sat041b8c13f01a.exe

Sat041b8c13f01a.exe

C:\Users\Admin\AppData\Local\Temp\7zS40FE3277\Sat0489e5e7edba.exe

Sat0489e5e7edba.exe

C:\Windows\SysWOW64\dllhost.exe

dllhost.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c cmd < Abbassero.wmv

C:\Users\Admin\AppData\Local\Temp\7zS40FE3277\Sat0451bd044df656.exe

"C:\Users\Admin\AppData\Local\Temp\7zS40FE3277\Sat0451bd044df656.exe" -a

C:\Windows\SysWOW64\findstr.exe

findstr /V /R "^VHwgFRxzxxLcwcGoqrvwdRkyDDkqmNLTpdmTOMvFsotvynnSaSEGawtrcWKeGzUGIRjLVNzgHQJiNPZttzIGotBijvbSexZYgbNhjNWFndZB$" Rugiada.wmv

C:\Windows\SysWOW64\cmd.exe

cmd

C:\Windows\SysWOW64\PING.EXE

ping AVCIKYMG -n 30

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Piu.exe.com

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Piu.exe.com L

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Piu.exe.com

Piu.exe.com L

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1644 -s 572

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1644 -ip 1644

C:\Users\Admin\AppData\Local\Temp\7zS40FE3277\Sat04a3dff8dec.exe

Sat04a3dff8dec.exe

C:\Users\Admin\AppData\Local\Temp\7zS40FE3277\Sat0467ed277dbd5c.exe

Sat0467ed277dbd5c.exe

C:\Users\Admin\AppData\Local\Temp\7zS40FE3277\Sat044149d0d9a89f.exe

Sat044149d0d9a89f.exe

C:\Users\Admin\AppData\Local\Temp\7zS40FE3277\Sat04436aa032.exe

Sat04436aa032.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"

C:\Users\Admin\AppData\Local\Temp\7zS40FE3277\Sat0451bd044df656.exe

Sat0451bd044df656.exe

C:\Users\Admin\AppData\Local\Temp\7zS40FE3277\Sat043dfd5d2de5535b.exe

Sat043dfd5d2de5535b.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Sat041b8c13f01a.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Sat0467ed277dbd5c.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Sat04436aa032.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Sat04a3dff8dec.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Sat043dfd5d2de5535b.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Sat046b489ca6a4ca7b.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Sat044149d0d9a89f.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Sat0489e5e7edba.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Sat0451bd044df656.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"

C:\Windows\explorer.exe

explorer.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 2.181.190.20.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 hsiens.xyz udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 s.lletlee.com udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.135.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 233.135.159.162.in-addr.arpa udp
NL 37.0.10.214:80 tcp
US 8.8.8.8:53 your-info-services.xyz udp
US 8.8.8.8:53 webboutiquestudio.xyz udp
US 8.8.8.8:53 yournewsservices.xyz udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 iplogger.org udp
US 104.21.4.208:443 iplogger.org tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 8.8.8.8:53 eduarroma.tumblr.com udp
US 74.114.154.18:443 eduarroma.tumblr.com tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 8.8.8.8:53 18.154.114.74.in-addr.arpa udp
US 8.8.8.8:53 53.96.141.3.in-addr.arpa udp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 8.8.8.8:53 2no.co udp
US 8.8.8.8:53 viacetequn.site udp
US 8.8.8.8:53 mfBkjRLTfwLSsveoSyZ.mfBkjRLTfwLSsveoSyZ udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 208.4.21.104.in-addr.arpa udp
US 8.8.8.8:53 s.lletlee.com udp
US 172.67.149.76:443 2no.co tcp
US 8.8.8.8:53 76.149.67.172.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 8.8.8.8:53 233.38.18.104.in-addr.arpa udp
US 8.8.8.8:53 viacetequn.site udp
US 8.8.8.8:53 s.lletlee.com udp
US 8.8.8.8:53 viacetequn.site udp
US 3.141.96.53:443 live.goatgame.live tcp
US 8.8.8.8:53 s.lletlee.com udp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 8.8.8.8:53 viacetequn.site udp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 8.8.8.8:53 s.lletlee.com udp
US 3.141.96.53:443 live.goatgame.live tcp
NL 37.0.10.244:80 tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 8.8.8.8:53 viacetequn.site udp
US 3.141.96.53:443 live.goatgame.live tcp
US 8.8.8.8:53 s.lletlee.com udp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 8.8.8.8:53 viacetequn.site udp
US 8.8.8.8:53 s.lletlee.com udp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 8.8.8.8:53 viacetequn.site udp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 8.8.8.8:53 viacetequn.site udp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 3.141.96.53:443 live.goatgame.live tcp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 wfsdragon.ru udp
US 172.67.133.215:80 wfsdragon.ru tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 8.8.8.8:53 viacetequn.site udp
US 8.8.8.8:53 215.133.67.172.in-addr.arpa udp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
NL 212.193.30.115:80 tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 8.8.8.8:53 viacetequn.site udp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 8.8.8.8:53 viacetequn.site udp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 8.8.8.8:53 viacetequn.site udp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 8.8.8.8:53 viacetequn.site udp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 8.8.8.8:53 viacetequn.site udp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 8.8.8.8:53 viacetequn.site udp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 8.8.8.8:53 viacetequn.site udp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 viacetequn.site udp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 8.8.8.8:53 viacetequn.site udp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 8.8.8.8:53 viacetequn.site udp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 8.8.8.8:53 viacetequn.site udp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 8.8.8.8:53 viacetequn.site udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 8.8.8.8:53 viacetequn.site udp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 8.8.8.8:53 viacetequn.site udp
US 8.8.8.8:53 viacetequn.site udp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 8.8.8.8:53 viacetequn.site udp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 8.8.8.8:53 viacetequn.site udp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 8.8.8.8:53 viacetequn.site udp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 8.8.8.8:53 viacetequn.site udp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp

Files

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe

MD5 d772d6902200f5d4599a9b27d0d8f9e6
SHA1 564eefb3fabe655b2fb51f492959b158cb20e12d
SHA256 7bf11639663306b53a7fe0e3826d12f03e1dda7b1fb3abaa758e3281d35f8e17
SHA512 6682d79a013129aceba9cde75a82f0444a28d30bfbd1c4656d7e3774b469283027a780362657c908c991f9b5939db32792e6713a323667ab763a95b3f3e23d36

C:\Users\Admin\AppData\Local\Temp\7zS40FE3277\setup_install.exe

MD5 176da3b4ae2c18efcdf8ef40acab3197
SHA1 da9153f6e669140f4bea834f34fc7f5e36762777
SHA256 285afb639d43b31e8a79c981312162d207d41ef110bff241e8f70c044d40bf36
SHA512 4930019a62ece49638dc6f73c3d88056a095abae2013d02217e7ae6b517784a0c6dccd8d2e0bfe6ace43ecd3ef2b4f9c92a003387c1c70130b6ed925325d87ef

C:\Users\Admin\AppData\Local\Temp\7zS40FE3277\setup_install.exe

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/1644-65-0x0000000000F10000-0x0000000000F9F000-memory.dmp

memory/1644-69-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/1644-75-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/1516-93-0x00000000005D0000-0x00000000005D8000-memory.dmp

memory/1516-96-0x00007FF8C5300000-0x00007FF8C5DC1000-memory.dmp

memory/4884-100-0x0000000000040000-0x000000000006C000-memory.dmp

memory/1008-99-0x00000000052F0000-0x0000000005918000-memory.dmp

memory/1008-102-0x0000000073D90000-0x0000000074540000-memory.dmp

memory/1516-103-0x000000001B2B0000-0x000000001B2C0000-memory.dmp

memory/1008-111-0x0000000002AF0000-0x0000000002B00000-memory.dmp

memory/4884-112-0x0000000001FC0000-0x0000000001FE2000-memory.dmp

memory/3604-117-0x0000000004040000-0x00000000040DD000-memory.dmp

memory/4884-118-0x000000001AE90000-0x000000001AEA0000-memory.dmp

memory/1008-119-0x0000000005920000-0x0000000005942000-memory.dmp

memory/3604-121-0x0000000000400000-0x0000000002403000-memory.dmp

memory/1008-133-0x0000000005BC0000-0x0000000005C26000-memory.dmp

memory/1008-134-0x0000000005C30000-0x0000000005F84000-memory.dmp

memory/2208-132-0x00000000025D0000-0x00000000025D9000-memory.dmp

memory/1644-136-0x0000000000400000-0x000000000051B000-memory.dmp

memory/2208-137-0x0000000002720000-0x0000000002820000-memory.dmp

memory/1644-139-0x0000000064940000-0x0000000064959000-memory.dmp

memory/1644-143-0x0000000000F10000-0x0000000000F9F000-memory.dmp

memory/1008-145-0x00000000060A0000-0x00000000060BE000-memory.dmp

memory/1008-147-0x0000000006190000-0x00000000061DC000-memory.dmp

memory/1644-142-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/860-153-0x0000000002E10000-0x0000000002F10000-memory.dmp

memory/860-154-0x0000000002D60000-0x0000000002D8F000-memory.dmp

memory/860-155-0x0000000004B70000-0x0000000004B92000-memory.dmp

memory/1644-141-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/860-157-0x0000000004BD0000-0x0000000004BF0000-memory.dmp

memory/860-156-0x0000000007450000-0x00000000079F4000-memory.dmp

memory/860-160-0x0000000000400000-0x0000000002CCD000-memory.dmp

memory/860-164-0x0000000004EB0000-0x0000000004EEC000-memory.dmp

memory/1008-175-0x0000000007000000-0x000000000701E000-memory.dmp

memory/1008-176-0x0000000007060000-0x0000000007103000-memory.dmp

memory/1008-182-0x0000000002AF0000-0x0000000002B00000-memory.dmp

memory/1008-181-0x000000007F010000-0x000000007F020000-memory.dmp

memory/860-185-0x0000000073D90000-0x0000000074540000-memory.dmp

memory/1008-186-0x00000000073D0000-0x00000000073EA000-memory.dmp

memory/1008-190-0x0000000007450000-0x000000000745A000-memory.dmp

memory/1008-192-0x0000000007640000-0x00000000076D6000-memory.dmp

memory/1008-193-0x00000000075D0000-0x00000000075E1000-memory.dmp

memory/1516-187-0x00007FF8C5300000-0x00007FF8C5DC1000-memory.dmp

memory/1008-184-0x0000000007A10000-0x000000000808A000-memory.dmp

memory/860-183-0x00000000080D0000-0x00000000081DA000-memory.dmp

memory/1008-194-0x0000000007600000-0x000000000760E000-memory.dmp

memory/1008-195-0x0000000007610000-0x0000000007624000-memory.dmp

memory/860-180-0x0000000004BC0000-0x0000000004BD0000-memory.dmp

memory/1008-197-0x00000000076F0000-0x00000000076F8000-memory.dmp

memory/1008-200-0x0000000073D90000-0x0000000074540000-memory.dmp

memory/1008-196-0x0000000007700000-0x000000000771A000-memory.dmp

memory/860-179-0x0000000004BC0000-0x0000000004BD0000-memory.dmp

memory/860-178-0x0000000004BC0000-0x0000000004BD0000-memory.dmp

memory/1008-163-0x0000000074E80000-0x0000000074ECC000-memory.dmp

memory/860-162-0x0000000004E90000-0x0000000004EA2000-memory.dmp

memory/1008-159-0x0000000007020000-0x0000000007052000-memory.dmp

memory/860-158-0x0000000007A00000-0x0000000008018000-memory.dmp

memory/1644-140-0x000000006EB40000-0x000000006EB63000-memory.dmp

memory/1644-138-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2208-135-0x0000000000400000-0x00000000023AF000-memory.dmp

memory/4884-202-0x00007FF8C5300000-0x00007FF8C5DC1000-memory.dmp

memory/1008-131-0x0000000005AE0000-0x0000000005B46000-memory.dmp

memory/3604-116-0x0000000002560000-0x0000000002660000-memory.dmp

memory/4884-115-0x00007FF8C5300000-0x00007FF8C5DC1000-memory.dmp

memory/1008-104-0x0000000002AF0000-0x0000000002B00000-memory.dmp

memory/1008-95-0x0000000002B00000-0x0000000002B36000-memory.dmp

memory/3596-203-0x00000000029D0000-0x00000000029E6000-memory.dmp

memory/1644-74-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/1644-73-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/1644-72-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/1644-71-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/1644-70-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/1644-68-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/1644-67-0x0000000064940000-0x0000000064959000-memory.dmp

memory/1644-66-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/1644-64-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/1644-63-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/1644-59-0x000000006B280000-0x000000006B2A6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS40FE3277\libwinpthread-1.dll

MD5 1e0d62c34ff2e649ebc5c372065732ee
SHA1 fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA512 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

C:\Users\Admin\AppData\Local\Temp\7zS40FE3277\libcurl.dll

MD5 d09be1f47fd6b827c81a4812b4f7296f
SHA1 028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA256 0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512 857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

C:\Users\Admin\AppData\Local\Temp\7zS40FE3277\libcurlpp.dll

MD5 e6e578373c2e416289a8da55f1dc5e8e
SHA1 b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA256 43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA512 9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

C:\Users\Admin\AppData\Local\Temp\7zS40FE3277\setup_install.exe

MD5 8c4543c3763d632ac4ccdea76d425512
SHA1 183753707e946d33b16b63470f189172221364fe
SHA256 6ad79b3927d69e4d51409342f37f31c720be9ab0a0bbf468da5f681a67b1ed8f
SHA512 dd02394c9dd20bbb9a9e53ab5378500c5b8d2a83860af868dfcc2703f0547563ee1baff58d645cfc9cb6ff355896d79e26735fb66536fbb389dbfda076e6b17d

memory/1516-204-0x000000001B2B0000-0x000000001B2C0000-memory.dmp

memory/3596-206-0x00000000029C0000-0x00000000029C1000-memory.dmp

memory/860-207-0x0000000002D60000-0x0000000002D8F000-memory.dmp